Advanced WildFire Powered by Precision AI™
Forward Files for Advanced WildFire Analysis
Table of Contents
Forward Files for Advanced WildFire Analysis
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Configure Palo Alto Networks firewalls to forward
unknown files or email links and blocked files that match existing
antivirus signatures for analysis. Use the WildFire Analysis profile
to define files to forward to one of the Advanced WildFire public
cloud options and then attach the profile to a security rule to
trigger inspection for zero-day malware.
Specify traffic to
be forwarded for analysis based on the application in use, the file
type detected, links contained in email messages, or the transmission
direction of the sample (upload, download, or both). For example,
you can set up the firewall to forward Portable Executables (PEs)
or any files that users attempt to download during a web-browsing
session. In addition to unknown samples, the firewall forwards blocked
files that match existing antivirus signatures. This provides Palo
Alto Networks a valuable source of threat intelligence based on
malware variants that signatures successfully prevented but has
not been seen before.
If you are using a WildFire appliance
to host a WildFire private cloud, you can extend WildFire analysis
resources to a WildFire hybrid cloud,
by configuring the firewall to continue to forward sensitive files
to your WildFire private cloud for local analysis, and forward less
sensitive or unsupported file types to the WildFire public cloud.
For more information about using and configuring the WildFire appliance,
refer to the WildFire Appliance Administration.
Before
you begin:
- File analysis support can have minor differences between Advanced WildFire cloud regions. Refer to File Type Support for more information.
- If a firewall resides between the firewall you are configuring to forward files and the Advanced WildFire cloud, make sure that the firewall in the middle allows the following ports:PortUsage443Registration, PCAP Downloads, Sample Downloads, Report Retrieval, File Submission, PDF Report Downloads10443Dynamic Updates
Forward Files for Advanced WildFire Analysis (Cloud Management)
If you’re using Panorama to manage Prisma Access:
Toggle over to the PAN-OS tab
and follow the guidance there.
If you’re using Prisma Access Cloud Management, continue here.
- Specify the Advanced WildFire cloud to which you want to forward samples.Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesWildFire and AntivirusGeneral Settings and edit the General Settings based on your WildFire cloud deployment (public, government, private, or hybrid).The WildFire U.S. Government Cloud is only available to U.S. Federal agencies as an optional analysis environment.Add the WildFire Cloud URL for the cloud environment to forward samples to for analysis.Advanced WildFire Public Cloud options:
- Enter the WildFire Public Cloud URL:
- United States: wildfire.paloaltonetworks.com
- Europe: eu.wildfire.paloaltonetworks.com
- Japan: jp.wildfire.paloaltonetworks.com
- Singapore: sg.wildfire.paloaltonetworks.com
- United Kingdom: uk.wildfire.paloaltonetworks.com
- Canada: ca.wildfire.paloaltonetworks.com
- Australia: au.wildfire.paloaltonetworks.com
- Germany: de.wildfire.paloaltonetworks.com
- India: in.wildfire.paloaltonetworks.com
- Switzerland: ch.wildfire.paloaltonetworks.com
- Poland: pl.wildfire.paloaltonetworks.com
- Indonesia: id.wildfire.paloaltonetworks.com
- Taiwan: tw.wildfire.paloaltonetworks.com
- France: fr.wildfire.paloaltonetworks.com
- Qatar: qatar.wildfire.paloaltonetworks.com
- South Korea: kr.wildfire.paloaltonetworks.com
- Israel: il.wildfire.paloaltonetworks.com
- Saudi Arabia: sa.wildfire.paloaltonetworks.com
- Spain: es.wildfire.paloaltonetworks.com
Make sure the WildFire Private Cloud field is clear.WildFire FedRAMP Cloud options:- Enter the WildFire FedRAMP Cloud URL:
- U.S. Government Cloud: wildfire.gov.paloaltonetworks.com
- Advanced WildFire Government Cloud: gov-cloud.wildfire.paloaltonetworks.com
- Advanced WildFire Public Sector Cloud: pubsec-cloud.wildfire.paloaltonetworks.com
Make sure the WildFire Private Cloud field is clear.Enable Prisma Access to forward decrypted SSL traffic for Advanced WildFire analysis by selecting Allow Forwarding of Decrypted Content. Decrypted traffic is evaluated against security policy rules; if it matches the WildFire analysis profile attached to the security rule, the decrypted traffic is forwarded for analysis before it is re-encrypted.Forwarding decrypted SSL traffic for analysis is an Advanced WildFire Best Practice.Define the size limits for samples the Prisma Access forwards for analysis.It is a Advanced WildFire Best Practice to set the file forwarding values to the default setting.Configure submission log settings.- Select Report Benign Files to allow logging for files that receive a verdict of benign.Select Report Grayware Files to allow logging for files that receive a verdict of grayware.When finished, Save your changes.Define traffic to forward for analysis.
- Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesWildFire and Antivirus, and then Add Profile. Provide a Name and Description for the profile.Add Rule to define traffic to be forwarded for analysis and give the rule a descriptive Name, such as local-PDF-analysis.Define the profile rule to match to unknown traffic and to forward samples for analysis based on:
- Direction of Traffic—Forward files for analysis based the transmission direction of the file (Upload, Download, or Upload and Download). For example, select Upload and Download to forward all unknown PDFs for analysis, regardless of the transmission direction.
- Applications—Forward files for analysis based on the application in use.
- File Types—Forward files for analysis based on file types, including links contained in email messages. For example, select PDF to forward unknown PDFs detected by the firewall for analysis.
- Select the destination for traffic to be forwarded for Analysis.
- Select Public Cloud so that all traffic matched to the rule is forwarded to the Advanced WildFire public cloud for analysis.
- Select Private Cloud so that all traffic matched to the rule is forwarded to the WildFire appliance for analysis.
- Save the WildFire analysis forwarding rule when finished.
Save the WildFire and Antivirus security profile.Enable the WildFire and Antivirus Security Profile.Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; Prisma Access forwards traffic matched to the profile for WildFire analysis.Push configuration changes.(Optional) Enable Advanced WildFire Inline MLChoose what to do next...- Verify WildFire Submissions to confirm that the firewall is successfully forwarding files for analysis.
- Monitor WildFire Activity to assess alerts and details reported for malware.
Forward Files for Advanced WildFire Analysis (PAN-OS & Panorama)
- (PA-7000 Series Firewalls Only) To enable a PA-7000 Series firewall to forward samples for analysis, you must first configure a data port on an NPC as a Log Card interface. If you have a PA-7000 series appliance equipped with an LFC (log forwarding card), you must configure a port used by the LFC. When configured, the log card port or the LFC interface takes precedence over the management port when forwarding samples.Specify the Advanced WildFire Deployments to which you want to forward samples.Select DeviceSetupWildFire and edit the General Settings based on your WildFire cloud deployment (public, government, private, or hybrid).The WildFire U.S. Government Cloud is only available to U.S. Federal agencies as an optional analysis environment.Advanced WildFire Public Cloud:
- Enter the WildFire Public Cloud URL:
- United States: wildfire.paloaltonetworks.com
- Europe: eu.wildfire.paloaltonetworks.com
- Japan: jp.wildfire.paloaltonetworks.com
- Singapore: sg.wildfire.paloaltonetworks.com
- United Kingdom: uk.wildfire.paloaltonetworks.com
- Canada: ca.wildfire.paloaltonetworks.com
- Australia: au.wildfire.paloaltonetworks.com
- Germany: de.wildfire.paloaltonetworks.com
- India: in.wildfire.paloaltonetworks.com
- Switzerland: ch.wildfire.paloaltonetworks.com
- Poland: pl.wildfire.paloaltonetworks.com
- Indonesia: id.wildfire.paloaltonetworks.com
- Taiwan: tw.wildfire.paloaltonetworks.com
- France: fr.wildfire.paloaltonetworks.com
- Qatar: qatar.wildfire.paloaltonetworks.com
- South Korea: kr.wildfire.paloaltonetworks.com
- Israel: il.wildfire.paloaltonetworks.com
- Saudi Arabia: sa.wildfire.paloaltonetworks.com
- Spain: es.wildfire.paloaltonetworks.com
Make sure the WildFire Private Cloud field is clear.WildFire FedRAMP Cloud options:- Enter the WildFire FedRAMP Cloud URL:
- U.S. Government Cloud: wildfire.gov.paloaltonetworks.com
- Advanced WildFire Government Cloud: gov-cloud.wildfire.paloaltonetworks.com
- Advanced WildFire Public Sector Cloud: pubsec-cloud.wildfire.paloaltonetworks.com
Make sure the WildFire Private Cloud field is clear.Define the size limits for files the firewall forwards and configure logging and reporting settings.Continue editing General Settings (DeviceSetupWildFire).- Review the File Size Limits for files
forwarded from the firewall.It is a Advanced WildFire Best Practices to set the File Size for PEs to the maximum size limit of 10 MB, and to leave the File Size for all other file types set to the default value.
- Select Report Benign Files to allow logging for files that receive a verdict of benign.
- Select Report Grayware Files to allow logging for files that receive a verdict of grayware.
- Define what session information is recorded in WildFire analysis reports by editing the Session Information Settings. By default, all session information is displayed in WildFire analysis reports. Clear the check boxes to remove the corresponding fields from WildFire analysis reports and click OK to save the settings.
Define traffic to forward for analysis.- Select ObjectsSecurity ProfilesWildFire Analysis, Add a new WildFire analysis profile, and give the profile a descriptive Name.Add a profile rule to define traffic to be forwarded for analysis and give the rule a descriptive Name, such as local-PDF-analysis.Define the profile rule to match to unknown traffic and to forward samples for analysis based on:
- Applications—Forward files for analysis based on the application in use.
- File Types—Forward files for analysis based on file types, including links contained in email messages. For example, select PDF to forward unknown PDFs detected by the firewall for analysis.
- Direction—Forward files for analysis based the transmission direction of the file (upload, download, or both). For example, select both to forward all unknown PDFs for analysis, regardless of the transmission direction.
Click OK to save the WildFire analysis profile.Attach the WildFire Analysis profile to a security policy rule.Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; the firewalls forwards traffic matched to the profile for WildFire analysis.- Select PoliciesSecurity and Add or modify a policy rule.Click the Actions tab within the policy rule.In the Profile Settings section, select Profiles as the Profile Type and select a WildFire Analysis profile to attach to the policy ruleMake sure to enable the firewall to also Forward Decrypted SSL Traffic for Advanced WildFire Analysis.This is a recommended best practice.(Optional) Enable Advanced WildFire Inline ML(Optional) Enable Hold Mode for Real-Time Signature LookupReview and implement Advanced WildFire Best Practices.Click Commit to apply the updated settings.(Optional) Install a Device Certificate to update to the latest version of the certificate used by the firewall to communicate with Palo Alto Networks cloud services.(Optional) Configure the Content Cloud FQDN Settings.Choose what to do next...
- Verify WildFire Submissions to confirm that the firewall is successfully forwarding files for analysis.
- Monitor WildFire Activity to assess alerts and details reported for malware.